rage against the virtual machine: hindering dynamic analysis of android malware thanasis petsas,...
TRANSCRIPT
Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android
Malware
Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,
Michalis Polychronakis
2
Android Dominates Market Share
• Smartphones have overtaken client PCs• Android accounted for 79% of global
smartphone market in 2013
Thanasis Petsas
Android79.0%
iOS14.2%
Other3.6%
Q2 2013 SmartphoneMarket Share
Microsoft3.3%
Source:
Thanasis Petsas 3
Android Malware
• 98% of all mobile threats targetAndroid devices
Source:
Distribution of mobile malwaredetected by platform – 2013
Thanasis Petsas 4
Android specific anti-malware tools
• Static analysis tools (AV apps)– Identify malware through signatures– Usually installed by users– Real time protection– How to evade static analysis?
• Dynamic analysis services– Used by security companies– Run applications on an Emulator– Detect suspicious behavior– How to evade dynamic analysis?
DroidChameleonASIA CCS’13
This work
Thanasis Petsas 5
Our Study
• A taxonomy of emulation evasion heuristics
• Evaluation of our heuristics on popular dynamic analysis services for Android
• Countermeasures
Objective: Can we effectively detect Android emulated analysis environment?
Thanasis Petsas 6
VM Evasion Heuristics
Category Type Examples
Static Pre-installed static information IMEI has a fixed value
Dynamic Dynamic information does not change Sensors produce always the same value
Hypervisor VM instruction emulation Native code runs differently
Thanasis Petsas 7
Static Heuristics
• Device ID (IdH)– IMEI, IMSI
• Current build (buildH)– Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH)– virtual router
address space: 10.0.2/24– Emulated network
IP address: 10.0.2.15
123456789012347 nullIMEI
MODEL Nexus 5 google_sdk
/proc/net/tcp
Ordinarynetwork
Emulatednetwork
Android Pincer malware family
Thanasis Petsas 8
Sensors:– A key difference between mobile & conventional
systems– new opportunities for mobile devices identification– Can emulators realistically simulate device sensors?
• Partially: same value, equal time intervals
Dynamic Heuristics (1/3)
Accelerometer Gyroscope
GPS
Gravity Sensor Proximity Sensor
Rotation Vector Magnetic Field
Thanasis Petsas 9
Dynamic Heuristics (2/3)
Generation of the same value at equal time intervals
0.8 ± 0.003043
Thanasis Petsas 10
Dynamic Heuristics (3/3)
• Sensor-based heuristics
• Android Activity that monitorssensors’ output values
• We implemented this algorithmfor a variety of sensors– Accelerometer (accelH)– magnetic field (magnFH)– rotation vector (rotVecH),– proximity (proximH)– gyroscope (gyrosH)
Thanasis Petsas 11
Hypervisor Heuristics
• Try to identify the hosted virtual machine
• Android Emulator is based on QEMU
• Our heuristics– Based on QEMU’s incomplete emulation of the actual
hardware– Identify QEMU scheduling– Identify QEMU execution using self-modifying code
Thanasis Petsas 12
Identify QEMU Scheduling (1/2)
• Virtual PC in QEMU– is updated only after the execution of a basic block
(branch)– OS scheduling does not occur during a basic block
• QEMU Binary Translation (BT) Detection– Monitor scheduling addresses of a thread
• Real Device: Various scheduling points• Emulator: A unique scheduling point
– BTdetectH
Thanasis Petsas 14
ARM Architecture
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
Clean the D-Cache rangeInvalidate the I-Cache
miss
Run the codeAndroid cacheflush:1. Clean the D-Cache range2. Invalidate the I-Cache
Caches are not coherent!
Thanasis Petsas 15
Identify QEMU execution – xFlowH
cacheflush();
cacheflush();
with cacheflush:
same behavior.
without cacheflush:
differentbehavior!
Thanasis Petsas 16
Implementation• Use of Android SDK for static & dynamic heuristics
• Use of Android NDK for hypervisor heuristics
• Implementation of an Android app– runs the heuristics– send the results to an HTTP server
• Repackaging of well known Android malware samples– Smali/Baksmali– Apktool– Patching the Smali Dalvik Bytecode
Thanasis Petsas 18
Evaluation: Dynamic Analysis Services
• Stand alone tools– DroidBox, DroidScope, TaintDroid
• Online services– Andrubis, SandDroid, ApkScan, Visual Threat,
TraceDroid, CopperDroid, APK Analyzer, ForeSafe, Mobile SandBox
Thanasis Petsas 21
Resilience of dynamic analysis toolsStatic Dynamic Hypervisor
All studied services are vulnerable to 5 or more heuristicsThese tools failed to infer malicious behavior of the repackaged malware samplesOnly 1 service provides information about VM evasion attempts
Thanasis Petsas 22
Countermeasures
• Static heuristics– Emulator modifications
• Dynamic heuristics– Realistic sensor event simulation
• Hypervisor heuristics– Accurate binary translation– Hardware-assisted virtualization– Hybrid application execution
Thanasis Petsas 23
Summary• Evaluation of VM evasion to 12 Android dynamic analysis tools
• Only half of the services detected our most trivial heuristics
• No service was resilient to our dynamic and hypervisor heuristics
• Majority of the services failed to detect repackaged malware
• Only 1 service– generated VM evasion attempts – was resilient to all our static heuristics
Thanasis Petsas 24
Thank you!
Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android
Malware
Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,{petsas, jvoyatz, elathan, sotiris}@ics.forth.gr
Michalis Polychronakis,[email protected]